Lost in space? NASA “fell short” on cloud security, report finds

NASA is no stranger to peering into nebulae in space – but the space agency found itself perplexed by the more Earthbound puzzle of cloud computing security, according to a report by the Office of the Inspector General.

“We found that weaknesses in NASA’s IT governance and risk management practices have impeded the Agency from fully realizing the benefits of cloud computing and potentially put NASA systems and data stored in the cloud at risk,” said the report, NASA’s Progress in Adopting Cloud-Computing Technologies.

“NASA spends about $1.5 billion annually on its portfolio of information technology (IT) assets – which includes more than 550 information systems that control spacecraft, collect and process scientific data, provide security for IT infrastructure, and enable Agency personnel to collaborate with colleagues around the world,” the report said.

The report found that NASA had put data at risk by moving it into public clouds without notifying security officers. In one incident, data was on a public cloud for two years without authorization or any security plan, according to a report by CNET.

More than 100 of NASA’s internal and external websites did not have proper security controls. NASA is seen as a pioneer in government use of cloud computing, according to a report by GovInfo Security.

The space agency launched its Nebula cloud computing project in 2008, described as, “an open-source cloud computing project and service developed to provide an alternative to the costly construction of additional data centers whenever NASA scientists or engineers require additional data processing.”

NASA shut Nebula in 2012 when it was discovered that public clouds, such as those offered by Amazon were more reliable and cost-effective.

The space agency has long been a target for hackers, with hackers in China reportedly breaking into Jet Propulsion Laboratory systems and gaining “full control” over them, according to a 2012 report by the Office of the Inspector General.

“As NASA expands its use of public cloud services, it is imperative that the Agency strengthen its governance and risk management practices to mitigate the chance that Agency operations may be disrupted, data lost, or public funds misused,” the report concluded.

Ha! I’m not surprised! I worked at the Cape as a senior computer systems admin. I discovered that ALL the networks at the Cape had practically no security, other than horribly configured routers and firewalls. The networks involved included NASA, the Air Force, and dozens of contractors’ networks. I found that most of the networks were visible from the “outside” and tried to get the situation fixed. The reactions I received were in the neighborhood of “Who cares?”. The bosses didn’t want to spend the money because they considered systems security to be a pain in the ass.

In Washington, there are swarms of people who work on creating policies and procedures to ensure that the government’s computer networks are “safe”. However, the number of Security Officers to ensure that these policies and procedures are implemented and adhered to is shockingly small. Security Officers are barely tolerated in most departments and their recommendations are met with derision.

I’m sure some Department Boss read some fluffy articles about how cloud computing was the next big thing and how it would solve all those nasty IT problems. Of course the Department Boss probably didn’t listen to the objections of his Security Officers and got things moving to the cloud as quickly as possible. Why? Because the Department Boss can talk to the Agency Boss and not ever mention that Security might have some objections to the plan.